Page Contents
- PBX Configuration - adjust the settings of your PBX to minimize obvious attack surfaces (no longer considered optional - just part of setting up any PBX).
- Perimeter Security - Add software/hardware around your PBX to improve security (one notch above configuration - just part of operating any server).
- Integrated Security - add software which integrates with your specific PBX to improve security (this is what really makes a difference in protecting your PBX).
Note that some recommendations (eg: changing ports, port knocking, etc.) are ideal for small and home office installations, whereas these same recommendations are impractical for large-scale implementations. As well, some recommendations are a great starting point (eg: hardware firewall) but this is no longer sufficient to protect a PBX.
Integrated Security
SecAst
SecAst is an intrusion detection and prevention system designed specifically to protect Asterisk phone systems against intrusion and fraud. SecAst uses a variety of techniques to detect intrusion attempts, halt ongoing attacks, and prevent future attacks. SecAst is available in three editions, including a free edition. SecAst can be downloaded from www.generationd.com or checkout the wiki page SecAst (Asterisk Intrusion Detection and Prevention)Fail2Ban
Fail2Ban is a free utilitiy which looks at log files for records of failures (to register, etc.) and then add their source IP to iptables.See security warning regarding fail2ban - don't depend on it.Perimeter Security
If you are looking to add layers around your PBX with generic protection:Hardware Firewall
Most Asterisk boxes should be located behind a hardware firewall. Configure the firewall to block traffic from anyone that doesn't need to connect to you. Allow your VoIP provider, any remote phones/users, and others that may need to connect, but keep the restrictions as tight as possible. If you do have remote users, lock your firewall down to only allow those users to connect if possible, rather than opening it to the entire internet. If you have mobile users this may not be an option however.Other services, such as SSH should be blocked by the hardware firewall. ...